Archives For Facebook

Applications are more and more subject to be integrated with other applications. Clear examples are Social Networks like Facebook, Twitter and LinkedIn: it’s very common to see links between them, as well as other applications integrating with Social Networks. This interconnection is so important that it has involved many Enterprise applications as well.

The net result is that the relationships between applications are defining a network, where each one of them takes a role that can big or small depending on the application characteristics, but it is an important role nevertheless.

This Network of Applications defines a new Internet, quite different from the one it was when all this started, and this new Internet is so interconnected and pervasive that it includes directly or indirectly a big part of many (most? all?) Enterprise’s infrastructures as well. We do live in the Cloud’s Era, don’t we?

This interconnected thing reminds me of our brain and of our body by extent, not only because it is clearly a parallel to the synapses, but also because it is subject to illness as well. The more I think about it, the more the dynamic of most of the current attacks shows clear similarities with the propagation of a virus in an organic body: you start with a localized infection – a system or two are compromised – then it spreads to some adjacent systems and voilà! You have a serious illness that has gained control of the attacked body. This is very like to how Advanced Persistent Threats go, and to attacks like the infamous Pass-The-Hash. The idea behind those attacks is to gain access to the real prize a step at a time, without rushing to it, trying to consolidate your position within the attacked infrastructure before someone detects you.

The main difference between the organic body and many pieces of this Network of Applications is that the latter have not yet developed the antibodies needed to detect the attacks, and therefore it is even less able to vanquish those attacks. This weakness allow compromising entire Enterprise Networks starting from a single Client and, as a consequence, gaining access to strategic resources like the Domain Controllers, through a series of patient intermediate steps.

A single weakness allows the first step; the others let the castle collapse.

If we extend those concepts to the whole Internet as a Network of Applications, it is clear that nowadays attackers have plenty of choices about how to attack and gain control of a System, if necessarily starting from a very far vulnerable point. Target’s attackers started from a supplier, for example.

One of the principles of Security is that a system is as secure as its “weakest link”. This sentence implies that the said system can be represented as a chain, where data is processed linearly. But what if you have a multi-dimensional reality, where each node could potentially talk with any other one? You rapidly have an headache… and a big opportunity for any potential attacker.

In this scenario, there is only a feasible answer to the quest for Security: that any actor considers creating Secure Applications and to maintain their security over time as a personal responsibility toward its customers, toward its peers, toward Internet as a whole and toward itself.

Disclaimer

The author of this Blog, Simone Curzi, has been a Senior Consultant and Delivery Architect in Microsoft Consulting Services (MCS) Italy for more than 6 years and has spent a total of 15 year as a Consultant in MCS. After having spent 2 years as a Security Premier Field Engineer for Microsoft Proactive Services (CSS), he has recently joined Microsoft Global CyberSecurity Practice (GCP) as Senior Consultant.
Simone is also the Leader of Microsoft Technical Community for Application Security.
The content published here express his own personal opinions only. By any means they do not necessarily reflect Microsoft's assessments or persuasions around Security or any other topic discussed in this Site. Microsoft has not participated directly or indirectly to the preparation of the current Site, for example by providing any resource other than paying for the salary.
The content is based on public information and sanitized experiences: it will not contain Microsoft Internal-Only material nor information traceable to actual Customers, even if someone could occasionally recognize himself or herself.